I am looking to secure WinLogBeat and I was wondering if you can use SSL alongside the username/password authentication. Using SSL, the username/password doesn’t seem to make a difference on WinLogBeat when communicating with the ElasticStack. The cluster is up and WinLogBeat sends logs no problem with SSL enabled. Given username/password on the WLB side and on the ROR side, doesn’t seem to take affect. Am I missing a setting?
Elastic - 6.2
WinLogBeat - 6.2
Kibana - 6.2 (Left out Kibana info because I don’t think it is relevant at this point)
A basic configuration for a 2 node elastic cluster and WinLogBeat looks like this:
Node-1-elasticsearch[.]yml
cluster.name: “Cluster-1”
node.master: true
node.data: false
node.ingest: false
node.name: “node-1”
network.host: 192.168[.]1.10
http.port: 9200
discovery.zen.ping.unicast.hosts: [“192[.]168.1.20”]
discovery.zen.minimum_master_nodes: 1
------------------------------- ReadOnlyREST ---------------------------------
http.type: ssl_netty4
Node-1-readonlyrest[.]yml
readonlyrest:
ssl:
enable: true
keystore_file: "keystore.jks"
keystore_pass: readonlyrest
key_pass: readonlyrest
allowed_protocols: [TLSv1.2]
access_control_rules:
- name: "winlogbeat/kibana can write and create its own indices"
auth_key_sha256: cc2db7731825a9cb972e9e3860285fc04b56bbd71b99a3e72ab7d8e3c46a55a2
actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
indices: ["winlogbeat-*", ".kibana*"]
- name: "Allow all nodes to communicate"
hosts: ["192.168.1[.]10","192.168[.]1.20"]
#cc2db7731825a9cb972e9e3860285fc04b56bbd71b99a3e72ab7d8e3c46a55a2 = winlogbeat:winlogbeat (As seen in winlogbeat.yml)
Node-2-elasticsearch[.]yml
cluster.name: "Cluster-1"
node.master: false
node.data: true
node.ingest: false
node.name: "node-2"
network.host: 192.168.1.20
http.port: 9200
discovery.zen.ping.unicast.hosts: ["192[.]168.1.10"]
discovery.zen.minimum_master_nodes: 1
------------------------------- ReadOnlyREST ---------------------------------
http.type: ssl_netty4
Node-2-readonlyrest[.]yml
readonlyrest:
ssl:
enable: true
keystore_file: "keystore.jks"
keystore_pass: readonlyrest
key_pass: readonlyrest
allowed_protocols: [TLSv1.2]
access_control_rules:
- name: "winlogbeat can write and create its own indices"
auth_key_sha256: cc2db7731825a9cb972e9e3860285fc04b56bbd71b99a3e72ab7d8e3c46a55a2
actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
indices: ["winlogbeat-*", ".kibana*"]
- name: "Allow all nodes to communicate"
hosts: ["192.168[.]1.10","192.168[.]1.20"]
#cc2db7731825a9cb972e9e3860285fc04b56bbd71b99a3e72ab7d8e3c46a55a2 = winlogbeat:winlogbeat (As seen in winlogbeat.yml)
WinLogBeat[.]yml (Used for multiple clients)
winlogbeat.event_logs:
- name: Microsoft-Windows-Sysmon/Operational
ignore_older: 2160h
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 3
setup.kibana:
host: "https://192.168[.]1.10:5601"
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
hosts: "my[.]domain[.]com:9200"
#my.domain.com --> 192.168.1.10
#============================== Security ===============================
username: winlogbeat
password: winlogbeat
ssl.enabled: true
protocol: https
ssl.certificate_authorities: 'ca.crt'
ssl.certificate: 'node2.crt'
ssl.key: 'node2.key'
ssl.verification_mode: none
Any help would be greatly appreciated!
Note: IP Addresses and creds changed to fake values.
Nic